From: ebiederm@xmission.com (Eric W. Biederman)
To: Michael Schmitz <schmitzmic@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-arch <linux-arch@vger.kernel.org>,
Jens Axboe <axboe@kernel.dk>, Oleg Nesterov <oleg@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
Matt Turner <mattst88@gmail.com>,
alpha <linux-alpha@vger.kernel.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
linux-m68k <linux-m68k@lists.linux-m68k.org>,
Arnd Bergmann <arnd@kernel.org>,
Ley Foon Tan <ley.foon.tan@intel.com>, Tejun Heo <tj@kernel.org>,
Kees Cook <keescook@chromium.org>
Subject: [PATCH] alpha: Add extra switch_stack frames in exit, exec, and kernel threads
Date: Tue, 15 Jun 2021 14:36:38 -0500 [thread overview]
Message-ID: <87zgvqor7d.fsf_-_@disp2133> (raw)
In-Reply-To: <87fsxjorgs.fsf@disp2133> (Eric W. Biederman's message of "Tue, 15 Jun 2021 14:30:59 -0500")
While thinking about the information leaks fixed in 77f6ab8b7768
("don't dump the threads that had been already exiting when zapped.")
I realized the problem is much more general than just coredumps and
exit_mm. We have io_uring threads, PTRACE_EVENT_EXEC and
PTRACE_EVENT_EXIT where ptrace is allowed to access userspace
registers, but on some architectures has not saved them.
The function alpha_switch_to does something reasonable it saves the
floating point registers and the caller saved registers and switches
to a different thread. Any register the caller is not expected to
save it does not save.
Meanhile the system call entry point on alpha also does something
reasonable. The system call entry point saves the all but the caller
saved integer registers and doesn't touch the floating point registers
as the kernel code does not touch them.
This is a nice happy fast path until the kernel wants to access the
user space's registers through ptrace or similar. As user spaces's
caller saved registers may be saved at an unpredictable point in the
kernel code's stack, the routime which may stop and make the userspace
registers available must be wrapped by code that will first save a
switch stack frame at the bottom of the call stack, call the code that
may access those registers and then pop the switch stack frame.
The practical problem with this code structure is that this results in
a game of whack-a-mole wrapping different kernel system calls. Loosing
the game of whack-a-mole results in a security hole where userspace can
write arbitrary data to the kernel stack.
I looked and there nothing I can do that is not arch specific, so
whack the moles with a minimal backportable fix.
This change survives boot testing on qemu-system-alpha.
Cc: stable@vger.kernel.org
Inspired-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: 45c1a159b85b ("Add PTRACE_O_TRACEVFORKDONE and PTRACE_O_TRACEEXIT facilities.")
Fixes: a0691b116f6a ("Add new ptrace event tracing mechanism")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
arch/alpha/kernel/entry.S | 21 +++++++++++++++++++++
arch/alpha/kernel/process.c | 11 ++++++++++-
arch/alpha/kernel/syscalls/syscall.tbl | 8 ++++----
3 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
index e227f3a29a43..98bb5b805089 100644
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -785,6 +785,7 @@ ret_from_kernel_thread:
mov $9, $27
mov $10, $16
jsr $26, ($9)
+ lda $sp, SWITCH_STACK_SIZE($sp)
br $31, ret_to_user
.end ret_from_kernel_thread
@@ -811,6 +812,26 @@ alpha_\name:
fork_like fork
fork_like vfork
fork_like clone
+fork_like exit
+fork_like exit_group
+
+.macro exec_like name
+ .align 4
+ .globl alpha_\name
+ .ent alpha_\name
+ .cfi_startproc
+alpha_\name:
+ .prologue 0
+ DO_SWITCH_STACK
+ jsr $26, sys_\name
+ UNDO_SWITCH_STACK
+ ret
+ .cfi_endproc
+.end alpha_\name
+.endm
+
+exec_like execve
+exec_like execveat
.macro sigreturn_like name
.align 4
diff --git a/arch/alpha/kernel/process.c b/arch/alpha/kernel/process.c
index 5112ab996394..edbfe03f4b2c 100644
--- a/arch/alpha/kernel/process.c
+++ b/arch/alpha/kernel/process.c
@@ -251,8 +251,17 @@ int copy_thread(unsigned long clone_flags, unsigned long usp,
if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
/* kernel thread */
+ /*
+ * Give it *two* switch stacks, one for the kernel
+ * state return that is used up by alpha_switch_to,
+ * and one for the "user state" which is accessed
+ * by ptrace.
+ */
+ childstack--;
+ childti->pcb.ksp = (unsigned long) childstack;
+
memset(childstack, 0,
- sizeof(struct switch_stack) + sizeof(struct pt_regs));
+ 2*sizeof(struct switch_stack) + sizeof(struct pt_regs));
childstack->r26 = (unsigned long) ret_from_kernel_thread;
childstack->r9 = usp; /* function */
childstack->r10 = kthread_arg;
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index 3000a2e8ee21..5f85f3c11ed4 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -8,7 +8,7 @@
# The <abi> is always "common" for this file
#
0 common osf_syscall alpha_syscall_zero
-1 common exit sys_exit
+1 common exit alpha_exit
2 common fork alpha_fork
3 common read sys_read
4 common write sys_write
@@ -65,7 +65,7 @@
56 common osf_revoke sys_ni_syscall
57 common symlink sys_symlink
58 common readlink sys_readlink
-59 common execve sys_execve
+59 common execve alpha_execve
60 common umask sys_umask
61 common chroot sys_chroot
62 common osf_old_fstat sys_ni_syscall
@@ -333,7 +333,7 @@
400 common io_getevents sys_io_getevents
401 common io_submit sys_io_submit
402 common io_cancel sys_io_cancel
-405 common exit_group sys_exit_group
+405 common exit_group alpha_exit_group
406 common lookup_dcookie sys_lookup_dcookie
407 common epoll_create sys_epoll_create
408 common epoll_ctl sys_epoll_ctl
@@ -441,7 +441,7 @@
510 common renameat2 sys_renameat2
511 common getrandom sys_getrandom
512 common memfd_create sys_memfd_create
-513 common execveat sys_execveat
+513 common execveat alpha_execveat
514 common seccomp sys_seccomp
515 common bpf sys_bpf
516 common userfaultfd sys_userfaultfd
--
2.20.1
next prev parent reply other threads:[~2021-06-15 19:36 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-10 20:57 Kernel stack read with PTRACE_EVENT_EXIT and io_uring threads Eric W. Biederman
2021-06-10 22:04 ` Linus Torvalds
2021-06-11 21:39 ` Eric W. Biederman
2021-06-11 23:26 ` Linus Torvalds
2021-06-13 21:54 ` Eric W. Biederman
2021-06-13 22:18 ` Linus Torvalds
2021-06-14 2:05 ` Michael Schmitz
2021-06-14 5:03 ` Michael Schmitz
2021-06-14 16:26 ` Eric W. Biederman
2021-06-14 22:26 ` Michael Schmitz
2021-06-15 19:30 ` Eric W. Biederman
2021-06-15 19:36 ` Eric W. Biederman [this message]
2021-06-15 22:02 ` [PATCH] alpha: Add extra switch_stack frames in exit, exec, and kernel threads Linus Torvalds
2021-06-16 16:32 ` Eric W. Biederman
2021-06-16 18:29 ` [PATCH 0/2] alpha/ptrace: Improved switch_stack handling Eric W. Biederman
2021-06-16 18:31 ` [PATCH 1/2] alpha/ptrace: Record and handle the absence of switch_stack Eric W. Biederman
2021-06-16 20:00 ` Linus Torvalds
2021-06-16 20:37 ` Linus Torvalds
2021-06-16 20:57 ` Eric W. Biederman
2021-06-16 21:02 ` Al Viro
2021-06-16 21:08 ` Linus Torvalds
2021-06-16 20:42 ` Eric W. Biederman
2021-06-16 20:17 ` Al Viro
2021-06-21 2:01 ` Michael Schmitz
2021-06-21 2:17 ` Linus Torvalds
2021-06-21 3:18 ` Michael Schmitz
2021-06-21 3:37 ` Linus Torvalds
2021-06-21 4:08 ` Michael Schmitz
2021-06-21 3:44 ` Al Viro
2021-06-21 5:31 ` Michael Schmitz
2021-06-21 2:27 ` Al Viro
2021-06-21 3:36 ` Michael Schmitz
2021-06-16 18:32 ` [PATCH 2/2] alpha/ptrace: Add missing switch_stack frames Eric W. Biederman
2021-06-16 20:25 ` Al Viro
2021-06-16 20:28 ` Al Viro
2021-06-16 20:49 ` Eric W. Biederman
2021-06-16 20:54 ` Al Viro
2021-06-16 20:47 ` Eric W. Biederman
2021-06-16 20:55 ` Al Viro
2021-06-16 20:50 ` [PATCH] alpha: Add extra switch_stack frames in exit, exec, and kernel threads Al Viro
2021-06-15 20:56 ` Kernel stack read with PTRACE_EVENT_EXIT and io_uring threads Michael Schmitz
2021-06-16 0:23 ` Finn Thain
2021-06-15 21:58 ` Linus Torvalds
2021-06-16 15:06 ` Eric W. Biederman
2021-06-21 13:54 ` Al Viro
2021-06-21 14:16 ` Al Viro
2021-06-21 16:50 ` Eric W. Biederman
2021-06-21 23:05 ` Al Viro
2021-06-22 16:39 ` Eric W. Biederman
2021-06-21 15:38 ` Linus Torvalds
2021-06-21 18:59 ` Al Viro
2021-06-21 19:22 ` Linus Torvalds
2021-06-21 19:45 ` Al Viro
2021-06-21 23:14 ` Linus Torvalds
2021-06-21 23:23 ` Al Viro
2021-06-21 23:36 ` Linus Torvalds
2021-06-22 21:02 ` Eric W. Biederman
2021-06-22 21:48 ` Michael Schmitz
2021-06-23 5:26 ` Michael Schmitz
2021-06-23 14:36 ` Eric W. Biederman
2021-06-22 0:01 ` Michael Schmitz
2021-06-22 20:04 ` Michael Schmitz
2021-06-22 20:18 ` Al Viro
2021-06-22 21:57 ` Michael Schmitz
2021-06-21 20:03 ` Eric W. Biederman
2021-06-21 23:15 ` Linus Torvalds
2021-06-22 20:52 ` Eric W. Biederman
2021-06-23 0:41 ` Linus Torvalds
2021-06-23 14:33 ` Eric W. Biederman
2021-06-24 18:57 ` [PATCH 0/9] Refactoring exit Eric W. Biederman
2021-06-24 18:59 ` [PATCH 1/9] signal/sh: Use force_sig(SIGKILL) instead of do_group_exit(SIGKILL) Eric W. Biederman
2021-06-24 18:59 ` [PATCH 2/9] signal/seccomp: Refactor seccomp signal and coredump generation Eric W. Biederman
2021-06-26 3:17 ` Kees Cook
2021-06-28 19:21 ` Eric W. Biederman
2021-06-28 14:34 ` [signal/seccomp] 3fdd8c68c2: kernel-selftests.seccomp.seccomp_bpf.fail kernel test robot
2021-06-24 19:00 ` [PATCH 3/9] signal/seccomp: Dump core when there is only one live thread Eric W. Biederman
2021-06-26 3:20 ` Kees Cook
2021-06-24 19:01 ` [PATCH 4/9] signal: Factor start_group_exit out of complete_signal Eric W. Biederman
2021-06-24 20:04 ` Linus Torvalds
2021-06-25 8:47 ` kernel test robot
2021-06-26 3:24 ` Kees Cook
2021-06-24 19:01 ` [PATCH 5/9] signal/group_exit: Use start_group_exit in place of do_group_exit Eric W. Biederman
2021-06-26 3:35 ` Kees Cook
2021-06-24 19:02 ` [PATCH 6/9] signal: Fold do_group_exit into get_signal fixing io_uring threads Eric W. Biederman
2021-06-26 3:42 ` Kees Cook
2021-06-28 19:25 ` Eric W. Biederman
2021-06-24 19:02 ` [PATCH 7/9] signal: Make individual tasks exiting a first class concept Eric W. Biederman
2021-06-24 20:11 ` Linus Torvalds
2021-06-24 21:37 ` Eric W. Biederman
2021-06-24 19:03 ` [PATCH 8/9] signal/task_exit: Use start_task_exit in place of do_exit Eric W. Biederman
2021-06-26 5:56 ` Kees Cook
2021-06-24 19:03 ` [PATCH 9/9] signal: Move PTRACE_EVENT_EXIT into get_signal Eric W. Biederman
2021-06-24 22:45 ` [PATCH 0/9] Refactoring exit Al Viro
2021-06-27 22:13 ` Al Viro
2021-06-27 22:59 ` Michael Schmitz
2021-06-28 7:31 ` Geert Uytterhoeven
2021-06-28 16:20 ` Eric W. Biederman
2021-06-28 17:14 ` Michael Schmitz
2021-06-28 19:17 ` Geert Uytterhoeven
2021-06-28 20:13 ` Michael Schmitz
2021-06-28 21:18 ` Geert Uytterhoeven
2021-06-28 23:42 ` Michael Schmitz
2021-06-29 20:28 ` [CFT][PATCH] exit/bdflush: Remove the deprecated bdflush system call Eric W. Biederman
2021-06-29 21:45 ` Michael Schmitz
2021-06-30 8:24 ` Geert Uytterhoeven
2021-06-30 8:37 ` Arnd Bergmann
2021-06-30 12:30 ` Cyril Hrubis
2021-06-28 19:02 ` [PATCH 0/9] Refactoring exit Eric W. Biederman
2021-06-21 19:24 ` Kernel stack read with PTRACE_EVENT_EXIT and io_uring threads Al Viro
2021-06-21 23:24 ` Michael Schmitz
2021-06-16 7:38 ` Geert Uytterhoeven
2021-06-16 19:40 ` Michael Schmitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zgvqor7d.fsf_-_@disp2133 \
--to=ebiederm@xmission.com \
--cc=arnd@kernel.org \
--cc=axboe@kernel.dk \
--cc=geert@linux-m68k.org \
--cc=ink@jurassic.park.msu.ru \
--cc=keescook@chromium.org \
--cc=ley.foon.tan@intel.com \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=mattst88@gmail.com \
--cc=oleg@redhat.com \
--cc=rth@twiddle.net \
--cc=schmitzmic@gmail.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).